Australian Bushfires Disaster Emergency Declaration — Understanding your privacy obligations

21 January 2020
Tags: emergency

The Attorney-General has made the Privacy (Australian Bushfires Disaster) Emergency Declaration (No. 1) 2020 (the emergency declaration) under Part VIA of the Privacy Act 1988 (Cth) (Privacy Act). The emergency declaration was made in response to bushfires in Australia resulting in death, injury and property damage occurring from August 2019 into 2020.

The emergency declaration expires on 20 January 2021.

Ordinarily, Australian Government agencies and private sector organisations must comply with the Australian Privacy Principles (APPs) in the Privacy Act when handling personal information.

When an emergency declaration is in force, Part VIA of the Privacy Act allows agencies and organisations to collect, use and disclose personal information about an individual impacted by the bushfires for several permitted purposes that may not otherwise be allowed under the APPs. Agencies and organisations will still need to comply with other obligations under the Privacy Act, including notice[1] and information security requirements.[2]

The collection, use and disclosure of personal information about individuals involved in the bushfire disaster is permitted under s 80P where:

  • the agency or organisation reasonably believes that the individual may be involved in the emergency
  • the collection, use or disclosure is for a permitted purpose in relation to the emergency
  • in the case of disclosure, the disclosure is limited to certain entities and individuals. There are some differences between who an agency can disclose information to and who an organisation or another person can disclose information to.

This resource assists agencies and organisations to understand their obligations until the emergency declaration expires on 20 January 2021.

What personal information can agencies and organisations handle when an emergency declaration is in force?

Personal information means information or an opinion about an identified person, or a person who is reasonably identifiable.

For the purpose of responding to a declared emergency or disaster, personal information includes information about a person who is deceased.

Agencies and organisations should limit the personal information they disclose to that which is necessary to meet an individual’s needs.

Whose personal information can agencies and organisations handle?

Under Part VIA, agencies and organisations can handle personal information about individuals who they reasonably believe may be involved in the bushfire emergency. The personal information can only be used or disclosed for a permitted purpose.

An agency or organisation must have a reasonable, objective basis for the belief that the individual may be involved in the bushfire emergency, not merely a genuine or subjective belief. It is the responsibility of the agency or organisation to be able to justify its reasonable belief.[3]

In what circumstances can agencies and organisations handle this information?

An agency or organisation may collect, use or disclose personal information relating to an individual affected by the bushfire emergency if the collection, use or disclosure of the personal information is for a permitted purpose.

A permitted purpose is a purpose that directly relates to the Commonwealth’s response to the emergency or disaster that the emergency declaration is about.

Permitted purposes include:

  • identifying individuals who are or may be injured, missing or dead as a result of the bushfire emergency, or are otherwise involved in the emergency
  • assisting impacted individuals to obtain services such as medical treatment, health services, financial assistance or other humanitarian services
  • assisting law enforcement with the bushfire emergency
  • coordinating or managing the emergency
  • ensuring that a person who is responsible for an individual involved in the emergency is appropriately informed about the individual and the emergency response to the individual.

It is an offence to disclose personal information received under Part VIA in a way not permitted by Part VIA or other provisions in the Privacy Act.

Who can agencies disclose the information to?

If an agency has a reasonable belief that an individual is involved in the bushfire emergency, and that the disclosure is for a permitted purpose, the agency can disclose personal information about the individual to:

  • an Australian Government agency
  • a State or Territory authority, including Departments and the State fire authorities such as the NSW Rural Fire Service
  • an organisation, as defined by the Privacy Act(for example, a private sector business or non-profit organisation with a turnover of more than $3 million, or a health service provider)
  • a person who is responsible for the individual
  • any other entity that is, or is likely to be, involved in managing or assisting in the management of the emergency.[4]

Part VIA does not permit disclosure to media organisations. If a disclosure needs to be made to the media, this should be made in accordance with APP 6.

Case Studies

An aid organisation is seeking contact information for individuals impacted by the bushfire emergency, in order to provide temporary emergency aid and accommodation to them. Can my agency disclose this contact information to them?

Yes — As long as you reasonably believe the person they are seeking contact information for may be impacted by the bushfire emergency, you can disclose this information for the purposes of providing emergency relief services.

A State government agency administering bushfire disaster relief wants personal information my agency holds, for the purposes of verifying the identity of individuals who they are making disaster relief payments to. Can my agency disclose personal information to them?

Yes — As long as you reasonably believe the person they are seeking contact information for may be impacted by the bushfire emergency, you can disclose this information for the purposes of the agency providing emergency relief payments.

Who can organisations disclose the information to?

If an organisation has a reasonable belief that an individual is involved in the bushfire emergency, and that the disclosure is for a permitted purpose, the organisation can disclose personal information about the individual to:

  • an Australian Government agency
  • an entity (a person, Australian Government agency or a private sector organisation) that is directly involved in providing repatriation services, medical or other treatment, health services or financial or other humanitarian assistance services to individuals caught up in the emergency.

Part VIA does not permit disclosure to media organisations. Any disclosure to the media must be made in accordance with APP 6.

Case Studies

An Australian Government agency is seeking contact information for individuals impacted by the bushfire emergency, in order to administer bushfire emergency relief payments to them. Can my organisation disclose the contact information of the individuals we are assisting to them?

Yes — As long as you reasonably believe the person they are seeking contact information for may be impacted by the bushfire emergency, you can disclose this information for the purposes of providing financial and humanitarian relief.

Can agencies and organisations collect information from State/Territory authorities?

An agency or organisation is permitted to collect personal information about an individual from a State or Territory authority, if the agency or organisation has a reasonable belief that the individual is involved in the bushfire emergency, and the personal information is being collected for a permitted purpose.

However, Part VIA does not override State and Territory laws that may apply to the way that State and Territory authorities handle personal information, such as a State or Territory law that regulates disclosure of information.

How does Part VIA interact with secrecy provisions?

For the duration of the emergency declaration, entities will not be in breach of secrecy provisions if they use or disclose personal information in accordance with s 80P(1), unless it is a designated secrecy provision under s80P(7).

Designated secrecy provisions are:

  • sections 18, 18A, 18B and 92 of the Australian Security Intelligence Organisation Act 1979
  • section 34 of the Inspector General of Intelligence and Security Act 1986
  • sections 39, 39A, 40, 40B to 40H, 40L, 40M and 41 of the Intelligence Services Act 2001
  • sections 42 to 44 of the Office of National Intelligence Act 2018
  • sections 19 and 19A of the Census and Statistics Act 1905, as prescribed by the regulations for the purposes of this paragraph.

How can individuals get more information about the operation of Part VIA?

Individuals can contact the OAIC’s Enquiries line for information about how agencies and organisations are permitted to handle their personal information under the Part VIA provisions, or if they are concerned about the way their personal information has been handled.

Information for individuals is also available on the OAIC’s website.

Footnotes

[1] See guidance on notice requirements in the OAIC’s APP guidelines: Chapter 5: APP 5 — Notification of the collection of personal information

[2] See guidance on information security requirements in the OAIC’s APP guidelines: Chapter 11: APP 11 — Security of personal information

[3] See guidance on ‘reasonable belief’ in the OAIC’s APP guidelines: Chapter B: Key concepts, Reasonably believes

[4] Section 6 of the Privacy Act includes definitions of agency, State or Territory authority, and organisation.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au